From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 22D9648319 for ; Mon, 22 Apr 2024 23:49:35 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id C663D68D37D; Tue, 23 Apr 2024 02:49:32 +0300 (EEST) Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net [217.70.183.198]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 4B3D468D0AF for ; Tue, 23 Apr 2024 02:49:26 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id A652FC0005 for ; Mon, 22 Apr 2024 23:49:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1713829765; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=GmxnGooXYJJwiA96taUpBmHCIqW/7g9lt8AsNdFAIz8=; b=gjotJIteS41eXYDcyyRMAi9+78UZaDr5s53hHrHr90E+AG2rEtDsdssH+lwBans56STRHv CLbsWPozGwvaf+AeOxHqtP7kjPkjfrWYiH0EiEpukmvUy6H3SUezhsSy59ySSJ8cpNA3pX re0PtiVcfwt1XtFWTiLoteKP0AX1jrst6J57KI9QnQVvtPrsaY8gD9X8Tzm2Eyl5Ha/2p6 qZBJwmpy+XbVADBcP3zHOhgwtVg9sVPesU1hTWrYZO7WrU0pdiR6DNuyP8Louc2XjDR+cX z3M/CJxAcoBlD5vj7lZ3/5NCwEaYts5l/TioiCi9VsVFE+PrrTLV/yI1zzTP6A== Date: Tue, 23 Apr 2024 01:49:24 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20240422234924.GE6420@pb2> References: <20240422013150.458103-1-michael@niedermayer.cc> <67b2f0ee-9465-4b76-ad15-be68d9faa987@jkqxz.net> <3ed83124-4f7e-4ed6-8e3c-3a97852617b7@gmail.com> <20240422210132.GD6420@pb2> MIME-Version: 1.0 In-Reply-To: X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] [PATCH] avcodec/cbs_h2645: Check NAL space X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============0748311375634877587==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============0748311375634877587== Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Xqba9i6vSwh/aj07" Content-Disposition: inline --Xqba9i6vSwh/aj07 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 22, 2024 at 06:07:42PM -0300, James Almer wrote: > On 4/22/2024 6:01 PM, Michael Niedermayer wrote: > > On Mon, Apr 22, 2024 at 05:46:10PM -0300, James Almer wrote: > > > On 4/22/2024 5:40 PM, Mark Thompson wrote: > > > > On 22/04/2024 02:31, Michael Niedermayer wrote: > > > > > Found-by-reviewing: CID1419833 Untrusted loop bound > > > > >=20 > > > > > Sponsored-by: Sovereign Tech Fund > > > > > Signed-off-by: Michael Niedermayer > > > > > --- > > > > > libavcodec/cbs_h2645.c | 4 ++++ > > > > > 1 file changed, 4 insertions(+) > > > > >=20 > > > > > diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c > > > > > index fe2e383ff33..1a45d424bae 100644 > > > > > --- a/libavcodec/cbs_h2645.c > > > > > +++ b/libavcodec/cbs_h2645.c > > > > > @@ -709,7 +709,11 @@ static int cbs_h2645_split_fragment(CodedBit= streamContext *ctx, > > > > > start =3D bytestream2_tell(&gbc); > > > > > for(i =3D 0; i < num_nalus; i++) { > > > > > + if (bytestream2_get_bytes_left(&gbc) < 2) > > > > > + return AVERROR_INVALIDDATA; > > > > > size =3D bytestream2_get_be16(&gbc); > > > > > + if (bytestream2_get_bytes_left(&gbc) < size) > > > > > + return AVERROR_INVALIDDATA; > > > > > bytestream2_skip(&gbc, size); > > > > > } > > > > > end =3D bytestream2_tell(&gbc); > > > >=20 > > > > Seems fair. > > > >=20 > > > > The problem looks more general with missing bounds checks in all th= e H.266 code around this, though? Compare with H.26[45], which have checks= on all the reads - seems like H.266 should be doing that. > > > >=20 > > > > Thanks, > > >=20 > > > Not against this approach, but since the bytestream2_get_* functions = return > > > 0, never overread the buffer or move the internal pointer, wouldn't i= t be > > > enough to just ensure end > start? > > > Particularly in ff_h2645_packet_split(), we can return an error if le= ngth > > > (in this case being set to end - start) is < 4. > >=20 > > The patch adds the same kind of check as are used in the AV_CODEC_ID_HE= VC > > case earlier in the file already > >=20 > > I think what is done should approximately stay in sync >=20 > fwiw, better not add an initial length check to ff_h2645_packet_split() l= ike > i suggested, as it could potentially break samples that would otherwise > decode just fine. It setting nb_nals to 0 should be enough. iam not 100% i parsed that text correctly >=20 > So this patch is fine. Further bytestream2_get_bytes_left() checks can be > added too, namely one that checks the buffer is at least the smallest siz= e a > vvcC box can be. ok will apply patch thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Republics decline into democracies and democracies degenerate into despotisms. -- Aristotle --Xqba9i6vSwh/aj07 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEIAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZib3egAKCRBhHseHBAsP q0HRAJ9ezXz8GLPb9mFJbi7NWlNiUg9FUACbBvGtEePwOpMIHbYdCo+M4blBG1k= =iDIz -----END PGP SIGNATURE----- --Xqba9i6vSwh/aj07-- --===============0748311375634877587== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============0748311375634877587==--